Web API: Why is it necessary to expose the client secret in my scenario?

Question

I'm confused about authentication flows.

I added Swashbuckle/Swagger to my Web Api, not realizing that my client secret would be exposed. The Swagger developers seem to regard it as unavoidable, per this link
https://github.com/swagger-api/swagger-ui/issues/4448

Why unavoidable? Doesn't MSAL provide authentication without exposing a client secret? If so, why can't Swagger do it? Or why can't Swagger use MSAL?

My api is at, say,
myApi.azureWebsites.net
and my swagger at:
myApi.azureWebsites.net/swagger
How is this usually solved? Is there a tutorial on how to make a separate Swagger UI-app, say at
mySwagger.azureWebsites.net
which could forward any request to the backend Api, using httpClient?

Answer 1

Hi @JAL , thank you for reaching out.

ClientID and Client Secrets are parameters that are passed to AAD by MSAL, and here if you are using a confidential client (like: WebApp, WebAPI or Daemon/Service) that runs on Azure PaaS Service, or any other secured servers, in that case only the clientID gets exposed by MSAL but not the client secret, as the client secret is passed only in the backchannel to AAD and never directly exposed.

You can read more on Confidential clients and Public clients here: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications

The rest of the queries related to Swagger, I believe posting a thread on the Swagger forums would be more beneficial to get answers to those.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

Thanks, but I'm a bit slow. MSAL.js uses the clientID to identify the app, no need for client secret. Why can't Swagger do the same? What is different about the Swagger scenario that I'm missing here?

Here's my understanding of MSAL.js. It redirects to the Active directory URL-plus-clientID where Active D shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user back to my home page URL-plus-token. MSAL.Js extracts the token from the URL.

I just don't understand why Swagger can't do the same thing.

Answer 3

Right, I did post on a Swagger forum as well, still hoping for a reply.

Swagger is fairly ubiquitous so I'm still holding out a little hope that someone on this forum has some experience with it.

Answer 4

I'll give you the credit for the answer even though it's not really what I was hoping for.

Answer 5

MSAL.js uses authorization code flow + PKCE, hence it does not need client secret.

You can also use authorization code flow + PKCE with SwashBuckle and hence no client secret will be needed. Make sure you add your redirect URL under Single Page Applications in App Registration.

Here is the tutorial on using SwashBuckle with authorization code flow + PKCE: https://lurumad.github.io/swagger-ui-with-pkce-using-swashbuckle-asp-net-core

So, you can use authorization code flow + PKCE even in your Asp.Net web apps without the need of client secrets / certificates.